Security Center

Patient Home Monitoring Service Leaks Private Medical Data Online

2017-10-10

By Security Center

Kromtech Security Researchers have discovered another publically accessible Amazon S3 repository. This time it contained medical data in 316,363 PDF reports in the form of weekly blood test results. Many of these were multiple reports on individual patients. It appears that each patient had weekly test results totaling around 20 files each. That would still be an estimated 150,000+ people affected by the leak. The database appears to be connected to a “Patient Home Monitoring” company that provides a in-home testing program that is aimed at improving clinical patient outcomes, and saving patients from weekly office visits.

The PDF documents were named after the patients and included the First / Last Names and dates

Development Server Backup

Doctors names, case management notes, additional client information

What is INR self-test?

The specific blood test used to measure the time it takes for blood to clot is called a prothrombin time test, or protime (PT). The PT is reported as the International Normalized Ratio (INR). The INR is a calculation based on results of a PT test and is used to monitor individuals who are being treated with the anticoagulation medication warfarin.

Patients prescribed warfarin must have their blood monitored frequently – at least once a month and sometimes as frequently as twice weekly – to confirm that the dose of warfarin prescribed is in a safe and effective range.

Careful and routine INR testing helps physicians monitor and, as needed, adjust a patients warfarin dosage – either up or down – to ensure that a patient is optimally protected from both blood clots and dangerous bleeding. Medication adjustments usually result in additional blood tests to check a patients INR and ensure effectiveness and safety.

The rundown of events:

We first identified the bucket on Friday, Sept 29th.

Notification email has been sent on October 5th (it took some time to find an adequate email to direct this to, plus I have been traveling on those days too).

On October 6th, the bucket has been secured from public access. Nobody got back to us with any statement or response.

According to the company's privacy page - “You have the right to know who has accessed your confidential healthcare information and for what purpose”. It is unclear how they will notify their clients and inform them that their confidential data has been leaked online. Dealing with any form of medical data is risky and it is required by law to notify affected patients of a data breach.

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications must be provided without unreasonable delay and no later than 60 days following the discovery of a breach. fines can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.

Alex Kernishniuk, VP of Strategic Alliances, Kromtech:

This is yet another wake-up call for companies who try to bridge the gap between healthcare and technology to make sure cyber security is also a part of their business model. This Amazon repository was misconfigured to be publically available and anyone with an internet connection could access these confidential medical records. Even the most basic security measures would have prevented this data breach. Unfortunately, there are many more databases and cloud storage repositories waiting to be discovered and the Kromtech Security Center is committed to helping to secure and protect data online.

Bob Diachenko, chief communications officer, Kromtech:

As part of these efforts, Kromtech Security developed a free tool, S3 Inspector, which should help a company or a person to automatically check all your buckets for public access. The tool generates a report with an indicator whether your bucket is public or not, checks permissions and lists URLs for all your buckets.

Healthcare costs in the United States are a tangled mess of inefficiency and no standard of costs for services. The same procedure can cost thousands of dollars at a neighboring hospital and these prices are never clear or justified against a standard rate. The introduction of Electronic Medical Records (EMR) was supposed to fix much of the administrative waste and help lower the costs. Industry experts predicted that Real-time health monitoring, Patient Self Testing (PST), and Patient Home Monitoring (PHM) would revolutionize the patient home care industry, but what about data privacy?

The New York-based Commonwealth Fund ranks the United States dead last in the quality of its health-care system when compared with 10 other western, industrialized nations.

Sadly the U.S. has most expensive, least effective health care system by nearly every measurement. The US spends almost 20% their entire of GDP or $3 TRILLION DOLLARS on healthcare. Complex insurance rules and distorted market signals create massive inefficiencies, frustrated patients, and providers burdened by excessive paperwork. No one will deny that digital records and patient home monitoring could bring some much needed efficiency, however protecting that valuable medical data is priority that must be taken seriously.

***

Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.